Bug 740194 - SELinux is preventing /usr/bin/updatedb from 'search' accesses on the directory /var/lib/qpidd.
Summary: SELinux is preventing /usr/bin/updatedb from 'search' accesses on the directo...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ad37312f08d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-21 09:13 UTC by Tony Browning
Modified: 2011-09-21 14:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-21 14:40:56 UTC


Attachments (Terms of Use)

Description Tony Browning 2011-09-21 09:13:18 UTC
SELinux is preventing /usr/bin/updatedb from 'search' accesses on the directory /var/lib/qpidd.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If you want to fix the label. 
/var/lib/qpidd default label should be var_lib_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lib/qpidd

*****  Plugin catchall_labels (5.21 confidence) suggests  ********************

If you want to allow updatedb to have search access on the qpidd directory
Then you need to change the label on /var/lib/qpidd
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/qpidd'
where FILE_TYPE is one of the following: sysctl_crypto_t, setrans_var_run_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, root_t, tmp_t, usr_t, var_t, samba_var_t, locate_var_lib_t, avahi_var_run_t, device_t, net_conf_t, etc_t, inotifyfs_t, proc_t, anon_inodefs_t, dirsrv_var_run_t, textrel_shlib_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, file_type, rpm_script_tmp_t, security_t, default_t, rpm_tmp_t, var_run_t, bin_t, cert_t, usr_t, var_t, winbind_var_run_t, noxattrfs, sssd_public_t, filesystem_type, device_t, locale_t, locate_t, rpm_log_t, etc_t, var_log_t, proc_t, likewise_var_lib_t, krb5_conf_t, abrt_var_run_t, var_lib_t, var_run_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, var_run_t, var_run_t. 
Then execute: 
restorecon -v '/var/lib/qpidd'


*****  Plugin catchall (1.44 confidence) suggests  ***************************

If you believe that updatedb should be allowed search access on the qpidd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /var/lib/qpidd [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mlocate-0.23.1-1.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.14-96.fc14.i686 #1 SMP Thu
                              Sep 1 12:49:38 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Tue 20 Sep 2011 03:21:44 AM EDT
Last Seen                     Wed 21 Sep 2011 03:32:38 AM EDT
Local ID                      92be723f-527a-4386-8812-c1781306d23b

Raw Audit Messages
type=AVC msg=audit(1316590358.660:517): avc:  denied  { search } for  pid=4795 comm="updatedb" name="qpidd" dev=dm-0 ino=1062716 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir


type=SYSCALL msg=audit(1316590358.660:517): arch=i386 syscall=chdir success=no exit=EACCES a0=8cdf769 a1=bf8f1ce0 a2=bf8f1ec4 a3=bf8f1d38 items=0 ppid=4789 pid=4795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=59 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,unlabeled_t,dir,search

audit2allow

#============= locate_t ==============
#!!!! This avc is allowed in the current policy

allow locate_t unlabeled_t:dir search;

audit2allow -R

#============= locate_t ==============
#!!!! This avc is allowed in the current policy

allow locate_t unlabeled_t:dir search;

Comment 1 Daniel Walsh 2011-09-21 14:40:56 UTC
I think there was an update problem,  Just do what the alert tells you 

restorecon -R -v /var/lib/qpidd 

And you should be all set.


Note You need to log in before you can comment on or make changes to this bug.